Manoharan Mudaliar

Cyber Security Consultant

A Penetration Testing Guide for Compliance

A Penetration Testing Guide for Compliance

The world today is more regulated than it ever was. The business landscape for example is inundated with regulations and legal requirements that should be followed for smoother operations. Organizations across all industries have to comply with a myriad of regulations and standards set for information security.

Consumers provide businesses today with tons of sensitive data pertaining to their own personal selves and their financial status. The stakes surrounding consumer data are higher than they ever were, considering the sensitivity of data businesses now have, and the damage that consumers will experience if the data lands in the wrong hands.

In many regulations concerning consumer data, businesses are required to partake in penetration testing, which is a type of ethical hacking practice to address and identify vulnerabilities present in the security for your networks, applications and systems. Some regulations and laws directly ask for penetration testing protocols, while others imply it through the need to build additional assessment processes to mitigate the cyber risk looming over organizations.

In this blog we take a look at some of the common standards and regulations related to pen testing and provide you with the guidance you need.

GDPR

GDPR is the Godfather of all data regulations and governs countries and organizations operating within European markets. GDPR, which is short for General Data Protection Regulation, has been around for a couple of years now and imposes the responsibility of securing consumer data on businesses.

The United Kingdom has enshrined GDPR requirements within its own Data Protection Act of 2018. These regulations were crafted well in advance to take center stage once the UK leaves the European Union.

The GDPR covers all facets of data protection and especially highlights the need for organizations to improve the security and governance surrounding consumer data. Organizations handling personal data should have the best measures in place to ensure that data is secure at all times and is being governed appropriately.

The GDPR Article 32 specifically requires organizations to implement, “A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of data processing”.

The Information Commissioner’s Office or ICO is the authority responsible for managing and checking on data protection in the United Kingdom. ICO has clearly mentioned in its online guidance that organizations regularly conduct the vulnerability scanning and penetration testing assessments laid down by the GDPR. Any risks that are identified during the testing phase should appropriately be identified and handled in the right manner. In accordance with the focus on personal information by GDPR, organizations should ascertain key endpoints where testing is necessary.

I advise you to conduct GDPR penetration testing on an annual basis to screen your internal and external data infrastructure. Organizations should also include web app testing within the pen testing model, if the business in question includes payroll systems, CRM systems, email and other sensitive personal data online.

ISO 27001

ISO 27001 is an internationally acclaimed and followed information security standard that comes within the ISO/IEC series of international quality standards. The ISO 27001 standard basically mentions a wide framework of controls related to Information Security Management Systems (ISMS).

To become certified with this standard, organizations should build a fine set of security controls. These security controls should deal with identifying and assessing certain security risks currently present across the networks in place.

The ISO 27001 is clear in outlining that organizations have the liberty to set security controls based on their own assessment of security risks. This ensures that no set of controls highlighted in the ISO are mandatory, and in fact, it mentions a list of best practices that you should consider and keep up with.

Objective A.12.6.1 of ISO 27001 clearly states that all information related to technical security vulnerabilities in the system should be gathered and improved upon in a timely manner. All organizations should determine their exposure to these vulnerabilities and put up appropriate measures to determine the right way forward.

Penetration testing can come in handy across multiple stages of an ISMS project or task. Organizations should hence look to find a more flexible penetration testing provider that not only tailors the assessment, but also meets the bespoke requirements. Risks identified during the pen testing process should ideally be treated as part of a continuous improvement process. No risk should be left lying around.

PCI DSS

Out of all data that consumers provide on a payment or an ecommerce platform, cardholder data is perhaps the most important. The information on a consumer’s card is extremely sensitive and shouldn’t land in the wrong hands. The Payment Card Industry Data Security Standard, or PCI DSS, lists a set of requirements for businesses to follow. All companies who process online transactions and gather card data from consumers are required to partake in PCI security audits for full compliance.

Requirement 11 of PCI DSS 3.2 is clear on what it demands from businesses. The requirement asks businesses to authorize frequent penetration testing protocols. Organizations that gather consumer cardholder data and fall within the domain of PCI DSS must always perform external and internal pen testing on an annual basis. The tests should also be performed after any significant changes to the infrastructure.

Organizations performing pen testing to comply with the regulations and guidelines mentioned by PCI DSS should identify issues such as poor access controls, coding vulnerabilities, encryption flaws and unsafe configurations.

NIS Directive and Regulations

The NIS Directive, better known as the Network and Information Systems Directive, is currently in place within the UK, as part of their pan-EU plans. The directive is in place to improve the security and reliance of critical services online.

The NIS Directive typically applies to all operations of essential services or OES. These services include transport, healthcare providers, utilities and Relevant Digital Service Providers (RDSP). Online marketplaces, cloud computing services and online search engines are also included in these essential services.

The NIS Directive doesn’t directly impose penetration testing standards, but there are regulations within the plan that mandate effective protection against cyber risk and attacks. The Objectives A and B within the plan require businesses to enable assessments, verification, inspections, testing and auditing for a secure environment.

While the NIS Directive doesn’t necessarily delve deep into the requirements of testing, it draws parallels with the requirements and guidelines mentioned as part of the GDPR. OESs and RDSPs can follow testing procedures required by the GDPR to remain safe on the NIS front.

NHS DSP Toolkit

The Data and Security Toolkit is a self-assessment tool in place for organizations in the UK’s healthcare sector. The tool basically helps organizations in healthcare to improve security by benchmarking against NDG Standards. NDG or National Data Guardian standards apply to all organizations currently operational in the social care and healthcare sectors.

Standard 9 of NDG clearly outlines that an actionable strategy should be in place to protect sensitive IT systems and consumer data from cyber threats. This strategy should at least include penetration tests that cover critical network infrastructure and your web services.

The NHS Digital guidance clearly recommends that organizations should tread carefully when scoping tests to prevent adverse effects on the systems or assets being assessed. Sub clause 9.4.3 also recommends organizations to find a penetration testing provider that can help them handle tests easily.

Choosing a Pen Testing Supplier

Reading through and complying with the numerous requirements and regulations of security legislations can be daunting and intimidating. However, it is equally important to understand the benefits that come out of testing your core network processes and gateways. While penetration testing has innumerable benefits of its own, you can also comply with different regulations by holding regular tests on an annual basis.

Any organization looking to perform penetration testing for compliance and security purposes should preferably try to find a flexible provider who not only understands the regulation, but can also tailor their testing methods to your industry and services. Your pen testing provider should understand the requirements you have and the latest pen testing standards that can be used to meet your demands.

Finally, it is crucial that you don’t view penetration testing as a tick-box exercise performed purely for compliance. Penetration testing is critical for your organization’s rapport and data security methods, and you should perform it regularly to keep up with the ever changing threat landscape.

A cyber security consultant can help you perform penetration testing and remain compliant. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.

 

Manoharan Mudaliar
Consultant and Blogger

Leave a Comment